Skip to main content

Shmoocon 2016

ShmooCon is an annual east coast hacker convention hell-bent on offering three days of an interesting atmosphere for demonstrating technology exploitation, inventive software and hardware solutions, and open discussions of critical infosec issues. The first day is a single track of speed talks called One Track Mind. The next two days bring three tracks: Build It, Belay It, and Bring It On.

39
RESULTS
rss



PART OF
Shmoocon
Hacker Conferences

LANGUAGE
English 39
SHOW DETAILS
up-solid down-solid
eye
Title
Date Archived
Creator
Shmoocon 2016
by Andrew Kalat
movies
eye 20,751
favorite 1
comment 0
Most hackers have a massive digital footprint: social media, servers at co-location sites, servers at home, overly-complicated IT infrastructure, and various other IT gear connected in crazy ways. What happens when one of us suddenly dies? How do our loved ones pick up the pieces, figure out all of our random IT crap that we’ve setup, and move forward? This talk explores the challenges, opportunities, and lessons learned as I aided in figure out the IT gear after the passing of a dear friend...
Shmoocon 2016
by Gillian Andrews and Sara Sinclair Brody
movies
eye 15,411
favorite 0
comment 0
As a technologist you craft systems that are reliable, scalable, and maintainable. As a security specialist you think adversarially and poke holes in every apparatus you encounter, be it technical, social, or socio-technical. These skills are orthogonal to the ones that good user-experience (UX) designers employ in making software that is usable by “average” people, which is probably why so many security tools suck. In this talk you’ll see why your approach to designing software...
Shmoocon 2016
by Professor Neil Gershenfeld
movies
eye 14,064
favorite 0
comment 0
Prof. Neil Gershenfeld is the Director of MIT’s Center for Bits and Atoms. His unique laboratory is breaking down boundaries between the digital and physical worlds, from creating molecular quantum computers to virtuosic musical instruments. Technology from his lab has been seen and used in settings including New York’s Museum of Modern Art and rural Indian villages, the White House and the World Economic Forum, inner-city community centers and automobile safety systems, Las Vegas shows,...
Shmoocon 2016
movies
eye 3,955
favorite 2
comment 0
Every IR presents unique challenges. But–when an attacker uses PowerShell, WMI, Kerberos attacks, novel persistence mechanisms, seemingly unlimited C2 infrastructure and half-a-dozen rapidly-evolving malware families across a 100k node network to compromise the environment at a rate of 10 systems per day–the cumulative challenges can become overwhelming. This talk will showcase the obstacles overcome during one of the largest and most advanced breaches Mandiant has ever responded to, the...
Shmoocon 2016
by Roger Piqueras Jover
movies
eye 1,345
favorite 0
comment 0
The Long Term Evolution (LTE) is the newest standard being deployed globally for mobile communications. Despite the well understood security flaws of legacy 2G networks, which lack of mutual authentication and implement an outdated encryption algorithm, LTE is generally considered secure given its mutual authentication and strong encryption scheme. To the day, the main cellular vulnerabilities being exploited in most IMSI catchers and stingrays are based on 2G base stations. Nevertheless, rogue...
Shmoocon 2016
movies
eye 1,161
favorite 0
comment 0
This presentation will explore how you can survey the wireless world of the radio spectrum to get an idea of the signals around you, and decode transmissions that can be received by pointing an antenna towards satellites in space. Both are accomplished using Software Defined Radio and open source software, and emphasis is placed on the security (or lack thereof) in these communications systems. Using a drone, you can create your very own airborne RF surveying platform, so that you can fly your...
Shmoocon 2016
by Carl Vincent
movies
eye 1,155
favorite 0
comment 0
This talk focuses on showcasing examples of the GO programming language being utilized to rapidly prototype, and ultimately maintain software designed to perform common or useful post-exploitation tasks. Source code for each feature will be provided, and is intended to exaggerate the limited amount of code and code familiarity required to construct relatively complex payloads capable of performing offensive security tasks fully either in an automated, or fully antonymous context. Carl is a...
Shmoocon 2016
movies
eye 881
favorite 0
comment 0
We’ve taken a novel approach to automating the determination of a phisher’s geographic location. With the help of Markov chains, we craft honeypot responses to phishers’ emails in an attempt to beat them at their own game. We’ll examine the underlying concepts, implementation of the system, and reveal some of the results from our ongoing experiment. Robbie Gallagher is a security engineer with Atlassian in Austin, Texas. He received his bachelor’s degree in applied computing...
Shmoocon 2016
by Sean Cassidy
movies
eye 757
favorite 0
comment 0
LastPass holds all of your secrets. Its login prompts and alerts occur within the browser window, which attackers can control. When the victim visits the target site–which can look completely inconspicuous, such as a news website–after a delay a LastPass notification will appear if the user has LastPass installed prompting the user to log in because their session has expired. The log in screen, which always appears within the browser window, is customized for each browser and operating...
Shmoocon 2016
movies
eye 720
favorite 0
comment 0
Every day, passionate security professionals encounter a common problem: after bringing a student or colleague up to speed on best practices, it feels like nothing stuck. Why does this happen? And how can we change it up to get better outcomes? This talk will help IT and security professionals find common ground with non-technical users. In addition to sharing people-friendly metaphors, it will give attendees a solid set of communication strategies, and approaches to educate the average user...
Shmoocon 2016
movies
eye 712
favorite 0
comment 0
In the system hardening space, we’ve been using chroot jails to contain compromised programs. These jails were better than nothing, but were easily escaped by many attackers. As Linux containers become more mature, we can use them to replace these jails. This talk will teach you how to use Linux Containers, through both Docker and Ubuntu’s new LXD, to create far better jails for programs, containing their compromise. You will leave this demo-heavy talk immediately able to use both...
Shmoocon 2016
by Kristin Paget
movies
eye 693
favorite 0
comment 0
A few years ago I had cause to do some research into RFID “shielding” wallets, and decided that most of them weren’t very good. Even the good ones could be disabled by simply increasing power; I came away thoroughly unimpressed with the entire concept. I thought about it for a bit, and then came up with GuardBunny. It prevents RFID tags from being read in a different way – by jamming the reader with its own energy. In its current form GuardBunny provides decent protection but it isn’t...
Shmoocon 2016
movies
eye 641
favorite 0
comment 0
The platforms powering the growth of the Internet-of-Things include tried-and-true embedded Real-Time Operating Systems (RTOSes). These lean OSes are designed for performance and reliability, but they force application developers to use C and often lack the exploit mitigations implemented in consumer OSes. This unforgiving environment places the burden of security entirely on the programmer and makes the risk of memory corruption vulnerabilities on these increasingly ubiquitous systems very...
Shmoocon 2016
by Karl Koscher
movies
eye 639
favorite 0
comment 0
Over the past few years, interest in ICS/SCADA systems security has grown immensely. However, most of this interest has been focused on IP-connected SCADA networks, largely ignoring numerous deployments relying on other technologies such as wireless serial links. In this talk, I’ll introduce a new GNU Radio module which lets you sniff SCADA networks that use a popular RF modem for their communications. I’ll also describe the process of reverse-engineering the proprietary RF protocol used....
Shmoocon 2016
by Tyler Bohan and Brandon Edwards
movies
eye 504
favorite 0
comment 0
Although OSX has had a large gain in popularity, its underlying workings are still unknown to many. In this talk we will discuss OSX internals and how they relate to security research. Specifically, we will discuss the debugging functionality provided (or missing) on OSX, how it differs from other platforms, and the resulting state of tools (LLDB) unwieldy for many security research tasks on modern OSX. For this talk we will open source our private OSX Python scriptable debugger as a...
Shmoocon 2016
by Alex Moneger
movies
eye 425
favorite 0
comment 0
With the ever growing number of attacks against SSL/TLS, quick turnaround time is required to write proof of concept code to test new attacks. Extending existing TLS stacks to implement such code is difficult and error prone. Due to that need, we developed an offensive focused TLS stack which allows to quickly prototype attacks against all elements of the stack (protocol, crypto, certificates, …) scapy-ssl_tls is an offensive TLS stack which lives above scapy. I will demonstrate how to look...
Shmoocon 2016
movies
eye 420
favorite 0
comment 0
The great thing about standards is there are so many to choose from. That’s especially true in the realm of web and mobile application authentication. From Base-64 to OAuth, there are nearly as many ways to send your password to a server as there are ways to store that password. But how do these work? Is any one system better than another, and if so, why? Application testers need to understand how an app authenticates, in order to properly assess risk. Developers need to be able to make good...
Shmoocon 2016
by Alex Bulazel
movies
eye 412
favorite 0
comment 0
AVLeak is a tool for fingerprinting consumer antivirus emulators through automated black box testing. AVLeak can be used to extract information from AV emulators that may be used to detect their presence and evade detection, including environmental artifacts, OS API behavioral inconsistencies, emulation of network connectivity, timing inconsistencies, and CPU emulator “red pills”. These artifacts of emulation may be discovered through painstaking, time consuming binary reverse engineering,...
Shmoocon 2016
by Jean-Philippe Aumasson
movies
eye 379
favorite 0
comment 0
This is an extension of my DEFCON 23 talk “Quantum computers vs computers security” where I’ll tell you more about the recent 1000-qubit processor and about postquantum crypto’s latest developments. I’ll also tell you how today’s encryption systems are affected (PGP, TLS, OTR, and others) and what you should do if you believe that quantum computers will soon be working. Jean-Philippe (JP) Aumasson (@veorq) is Principal Cryptographer at Kudelski Security, in Switzerland. He designed...
Shmoocon 2016
movies
eye 377
favorite 0
comment 0
According to VirusTotal, almost 500,000 unique malware samples are seen by them every day. That doesn’t include all the malware VirusTotal doesn’t see. The shear deluge of unique malware samples makes it difficult for incident responders to keep up to protect their networks. Even more difficult is the task to investigators and law enforcement to keep up with the size and number of command-and-control networks and criminal operations. The size and scope of malware may seem daunting, but...
Shmoocon 2016
movies
eye 372
favorite 0
comment 0
To hide data from a the forensic practitioner you need to exploit either a gap in their knowledge, their processes, and/or their tools. This is a talk about all three in regards to Apple OS X and iOS code signing. Much research has been conducted around code signing with respect to preventing malicious code execution at binary load time. This strictly about forensics, binary tampering, and data smuggling. Josh Pitts (@midnite_runr) likes to write code that patches code with other code via The...
Shmoocon 2016
movies
eye 354
favorite 0
comment 0
Are you a Bond villain, whistle-blower, clandestine operative, secret courier, paranoid schizophrenic or generally sketchy character who wants the ability to make your data go up in a puff of smoke at the drop of a hat when the bad guys close in? This talk will focus on implementing practical, low cost, and not entirely unsafe mobile data destruction solutions for your hopefully imaginary needs. Going beyond Shane Lawson, Bruce Potter, and Deviant Ollam’s 3U rackmount requirements from DEFCON...
Shmoocon 2016
movies
eye 350
favorite 0
comment 0
Big Data Analytics and Machine Learning are pervasive in the decision-making processes of major corporations and governments around the world. This fact introduces a new opportunity and attack vector for hackers — instead of stealing data, attackers can potentially influence or control the decisions of their victims. In our talk we highlight the poor decisions that developers make in their code that enables attackers to drastically skew machine learning models, deliver denial of service...
Shmoocon 2016
movies
eye 323
favorite 0
comment 0
#thingswikfound #omarax is a by-product of hunting for phishing and other badness on the internet. Each day I scan over 2 million newly created domains from a wide range of TLDs, locating everything from 8XX tech support scams to Brand name phishing attempts. Now I understand that scanning the internet for these things isn’t new in general, but I promise you that my approach is different (and at the very least an entertaining story). Jaime ‘WiK’ Filson (@jaimefilson) is a Research...
Shmoocon 2016
by Greg Conti (moderator), Mara Tam, Vincenzo Iozzo, Jeff Moss, and Randy Wheeler
movies
eye 315
favorite 0
comment 0
"[E]very speaker, every writer, every practitioner in the field of cyber security who has wished that its topic, and us with it, were taken seriously has gotten their wish….”[W]e” and the cyber security issue have never been more at the forefront of policy. And you ain’t seen nothing yet.’ — Dan Geer, “Cybersecurity as Realpolitik” We still haven’t. The regulatory and policy landscape around information security is expanding and shifting rapidly. Challenges faced by the...
Shmoocon 2016
by Sarah Rees and Jonathan Medina
movies
eye 299
favorite 1
comment 0
In the age of an “Internet of Things,” centralized control over a wide variety of devices is creeping down from the clouds and into our everyday lives. Software Defined Networking (SDN) is replacing traditional networks with some of the biggest names in the tech industry. Google, Microsoft, Facebook, Yahoo, Amazon, and AT&T are utilizing SDN for its advanced flexibility and automated network control. Unfortunately some functions of SDN and the OpenFlow protocol should be raising...
Shmoocon 2016
by Patrick Wardle
movies
eye 298
favorite 0
comment 0
Gatekeeper is an anti-malware feature baked directly into OS X. Its single goal is to block the execution of untrusted code from the internet. Apple boldly claims that because of Gatekeeper, both trojans and tampered downloads are generically blocked. So hooray! Mac users are all secure…right? Well, perhaps not :/ Until now, there has been little technical information about Gatekeeper’s closed-source internals. This talk seeks to remedy this by exposing the inner workings of Gatekeeper and...
Microsoft Windows has a long history of outstanding security vulnerabilities that many of us in the security industry are well aware of. Microsoft has released advisories with mitigations for some of these vulnerabilities, however due to compatibility, performance, and time/budget constraints, these mitigations are often not deployed consistently. In this project we take advantage of a number of these issues to develop a local privilege escalation exploit for Microsoft Windows that is safe and...
Shmoocon 2016
by Matt Blaze (moderator), Greg Conti, Rick Forno, and Jeff Foster
movies
eye 260
favorite 0
comment 0
As information security grows nearly exponentially, it’s hard to remember back 15 years ago to a time when the industry was just starting to take off. At that time, most of the individuals in this industry were self taught with respect to this discipline. There were only a few handful of information security programs in academia. Contrast that to today where there are hundreds of programs across the nation with new ones springing up every semester. As far as academia goes, that kind of growth...
Shmoocon 2016
movies
eye 234
favorite 1
comment 0
Explore a base level problem in static malware analysis, that we have too many samples to analyze, by leveraging the parallelization of GPGPUs — an advantage is gained by moving the problem into the visual plane and solving similarity by texture analysis in parallel. I’ve clustered a few hundred million PEs by organizing them by how the “look.” Debugging is accompanied by making movies of the visualization. The real utility of the art is speed. A malware sample can be analyzed on an...
Shmoocon 2016
by The Shmoo Group
movies
eye 231
favorite 0
comment 0
For eleven years, we’ve chosen to stand up and share all the ins and outs and inner workings of the con. Why stop now? Join us to get the break down of budget, an insight to the CFP process, a breakdown of the hours it takes to put on a con like ShmooCon, and anything thing else you might want to talk about. This is an informative, fast paced, and generally fun session as Bruce dances on stage, and Heidi tries to hide from the mic. Seriously though–if you ever wanted to know How, When, or...
Shmoocon 2016
by Joseph Hall and Ben Ramsey
movies
eye 206
favorite 0
comment 0
Smart energy and building automation are powerful technologies with significant promise. Unfortunately, the global rush to connect as many devices to the network as possible leads to unintended vulnerabilities. The ability to physically damage hardware by abusing network access is particularly interesting. This talk has two goals: 1) introduce an open source tool for pen-testing proprietary Z-Wave wireless automation networks and 2) discuss a rapid process for destroying florescent lights....
Shmoocon 2016
by Chris Eng
movies
eye 190
favorite 0
comment 0
Every industry faces the challenge of securing software, so why do some industries “get it” while others struggle to manage the problem at scale? In this session, we will share data drawn from over 200,000 application assessments performed via Veracode’s cloud platform over an 18-month period. This is the largest data set of its kind, and it provides unique insight into the state of software security. Attendees can use this information to benchmark their AppSec program against peers,...
Shmoocon 2016
by Trey Herr and Eric Armbrust
movies
eye 172
favorite 0
comment 0
How can political and computer science get together to make something beautiful? The pervasive development and deployment of malicious software by states presents a new challenge for the information security and policy communities because of the resource advantage and legal status of governments. The difference between state and non-state authored code is typically described in vague terms of sophistication, contributing to the inaccurate confirmation bias of many that states simply ‘do it...
Shmoocon 2016
by Nick Leiserson and Jen Ellis
movies
eye 162
favorite 0
comment 0
In 2015, 74 bills containing the term “cybersecurity” were introduced in Congress; the Library of Congress approved a security research exemption for the DMCA; the President signed two cybersecurity-related Executive Orders; and various Government agencies debated how to control exports of intrusion technologies. This trend will continue in 2016 as more breaches and vulnerabilities hit the headlines, and technology continues to become more pervasive in our lives. Government policy impacts...
Shmoocon 2016
by The Shmoo Group
movies
eye 140
favorite 0
comment 0
The attendees of Shmoocon 2016 are welcomed to the conference, given basic information about the conferences offerings, and the events to look forward to.
Shmoocon 2016
movies
eye 140
favorite 0
comment 0
The Algebraic Eraser (AE) is a Group Theoretic Public-Key Cryptosystem originally published in 2006 and designed specifically to work in constrained devices with limited CPU and power capabilities such as RFID and Internet of Things (IoT) devices. Algebraic Eraser Diffie-Hellman (AEDH) provides a key-agreement protocol that performs significantly better than ECC at the same security level in both hardware and software. One hardware implementation in 65nm CMOS performs 60-200 times better than...
Shmoocon 2016
by Kurt Opsahl, Andrew Crocker, Bill Buddington, and Eva Galperin
movies
eye 138
favorite 0
comment 0
Get the latest information about how the law is racing to catch up with technological change from staffers at the Electronic Frontier Foundation, the nation’s premiere digital civil liberties group fighting for freedom and privacy in the computer age. This session will include updates on current EFF issues such as NSA surveillance and fighting efforts to use intellectual property claims to shut down free speech and halt innovation, discussion of our technology projects to protect privacy and...
Shmoocon 2016
movies
eye 119
favorite 0
comment 0
John & Rob have been developing interesting ideas in how to present large analytic results to analysts for making decisions in defending their networks. This idea is an evolution of a talk presented at THOTCON & CarolinaCon last year and development John & Rob have done over the past 4 years on streaming network analytics. We have developed a concept to provide the output network data and analytics through mathematically driven visualizations. In this example, we show 1024 analytics...